| changeset 0: | b3274687478e |
|---|---|
| child 1: | 08c364669209 |
| author: | ellis <ellis@rwest.io> |
| date: | Tue, 07 Nov 2023 21:56:24 -0500 |
| files: | .hgignore common.mk makefile os/linux/makefile readme.org scripts/get-linux.sh |
| description: | init |
1.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2+++ b/.hgignore Tue Nov 07 21:56:24 2023 -0500 1.3@@ -0,0 +1,3 @@ 1.4+.*[.](fasl|lock|elc|eln|scratch|tar)$ 1.5+.*(target|dist|node_modules|target-trunk|build)/.* 1.6+linux/linux-[0-9]+[.].*/.* 1.7\ No newline at end of file
2.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2+++ b/common.mk Tue Nov 07 21:56:24 2023 -0500 2.3@@ -0,0 +1,18 @@ 2.4+### common.mk --- common infra rules 2.5+ 2.6+### Code: 2.7+__ := $(.VARIABLES) 2.8+COMMON_MK=$(lastword $(MAKEFILE_LIST)) 2.9+INFRA_DIR=$(realpath $(dir $(COMMON_MK))) 2.10+INFRA_LISP_FILES=$(shell find $(INFRA_DIR) -type f \( -name '*.asd' -o -name '*.lisp' \) ) 2.11+INFRA_BUILD_DIR=$(INFRA_DIR)/build 2.12+INFRA_DIST_DIR=$(INFRA_DIR)/dist 2.13+INFRA_SCRIPT_DIR=$(INFRA_DIR)/scripts 2.14+LINUX_VERSION:=$(shell uname -r | cut -d- -f1) 2.15+SHELL=/bin/sh 2.16+UNAME=$(shell uname) 2.17+CURL:=curl 2.18+CPU_COUNT:=$(shell getconf _NPROCESSORS_ONLN) 2.19+HG_COMMIT:=$(shell hg id -i) 2.20+VERSION:= 2.21+VARS:=$(foreach v,$(filter-out $(__) __,$(.VARIABLES)),"\n$(v) = $($(v))")
3.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2+++ b/makefile Tue Nov 07 21:56:24 2023 -0500 3.3@@ -0,0 +1,3 @@ 3.4+### infra/makefile --- The Compiler Company Infrastructure 3.5+include common.mk 3.6+include os/linux/makefile
4.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000 4.2+++ b/os/linux/makefile Tue Nov 07 21:56:24 2023 -0500 4.3@@ -0,0 +1,13 @@ 4.4+### infra/os/linux/makefile --- Linux builder 4.5+ 4.6+### Code: 4.7+LINUX_TARGET:=linux-$(LINUX_VERSION) 4.8+all:$(LINUX_TARGET) config 4.9+$(LINUX_TARGET):scripts/get-linux.sh; 4.10+ mkdir -pv build/$@ 4.11+ gpg --export autosigner@ torvalds@ gregkh@ > build/$@/keyring.gpg 4.12+ $< $(LINUX_VERSION) build $(abspath build/$@/keyring.gpg) 4.13+ unxz build/$@.tar.xz && tar -xvf build/$@.tar 4.14+config:build/$(LINUX_TARGET); 4.15+ cd $< && make mrproper -j && zcat /proc/config.gz > .config && make localmodconfig 4.16+clean::;rm -rf build/$(LINUX_TARGET) build/$(LINUX_TARGET).* build/linux-tarball-verify.*
5.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000 5.2+++ b/readme.org Tue Nov 07 21:56:24 2023 -0500 5.3@@ -0,0 +1,2 @@ 5.4+#+TITLE: comp/infra 5.5+#+AUTHOR: Richard Westhaver <ellis@rwest.io>
6.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000 6.2+++ b/scripts/get-linux.sh Tue Nov 07 21:56:24 2023 -0500 6.3@@ -0,0 +1,218 @@ 6.4+#!/bin/bash 6.5+# https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball 6.6+# get-verified-tarball 6.7+# -------------------- 6.8+# Get Linux kernel tarball and cryptographically verify it, 6.9+# retrieving the PGP keys using the Web Key Directory (WKD) 6.10+# protocol if they are not already in the keyring. 6.11+# 6.12+# Pass the kernel version as the only parameter, or 6.13+# we'll grab the latest stable kernel. 6.14+# 6.15+# Example: ./get-verified-tarball 4.4.145 6.16+# 6.17+# Configurable parameters 6.18+# ----------------------- 6.19+# What kernel version do you want? 6.20+HOST_VER=$(uname -r | cut -d- -f1) 6.21+VER="${1:-$HOST_VER}" 6.22+ 6.23+# Where to download the tarball and verification data. 6.24+TARGETDIR=${2:-build/linux-$VER} 6.25+ 6.26+# For CI and other automated infrastructure, you may want to 6.27+# create a keyring containing the keys belonging to: 6.28+# - autosigner@kernel.org 6.29+# - torvalds@kernel.org 6.30+# - gregkh@kernel.org 6.31+# 6.32+# To generate the keyring with these keys, do: 6.33+# gpg --export autosigner@ torvalds@ gregkh@ > keyring.gpg 6.34+# (or use full keyids for maximum certainty) 6.35+# 6.36+# Once you have keyring.gpg, install it on your CI system and set 6.37+# USEKEYRING to the full path to it. If unset, we generate our own 6.38+# from GNUPGHOME. 6.39+# need to run make linux-keys first 6.40+USEKEYRING=${3} 6.41+ 6.42+# If you set this to empty value, we'll make a temporary 6.43+# directory and fetch the verification keys from the 6.44+# Web Key Directory each time. Also, see the USEKEYRING= 6.45+# configuration option for an alternative that doesn't 6.46+# rely on WKD. 6.47+GNUPGHOME="$HOME/.gnupg" 6.48+ 6.49+# Point this at your GnuPG binary version 2.1.11 or above. 6.50+# If you are using USEKEYRING, GnuPG-1 will work, too. 6.51+GPGBIN="/usr/bin/gpg2" 6.52+GPGVBIN="/usr/bin/gpgv2" 6.53+# We need a compatible version of sha256sum, too 6.54+SHA256SUMBIN="/usr/bin/sha256sum" 6.55+# And curl 6.56+CURLBIN="/usr/bin/curl" 6.57+# And we need the xz binary 6.58+XZBIN="/usr/bin/xz" 6.59+ 6.60+# You shouldn't need to modify this, unless someone 6.61+# other than Linus or Greg start releasing kernels. 6.62+DEVKEYS="torvalds@kernel.org gregkh@kernel.org" 6.63+# Don't add this to DEVKEYS, as it plays a wholly 6.64+# different role and is NOT a key that should be used 6.65+# to verify kernel tarball signatures (just the checksums). 6.66+SHAKEYS="autosigner@kernel.org" 6.67+ 6.68+if [[ -z ${VER} ]]; then 6.69+ # Assume you want the latest stable 6.70+ VER=$(${CURLBIN} -sL https://www.kernel.org/finger_banner \ 6.71+ | grep 'latest stable version' \ 6.72+ | awk -F: '{gsub(/ /,"", $0); print $2}') 6.73+fi 6.74+if [[ -z ${VER} ]]; then 6.75+ echo "Could not figure out the latest stable version." 6.76+ exit 1 6.77+fi 6.78+ 6.79+MAJOR="$(echo ${VER} | cut -d. -f1)" 6.80+if [[ ${MAJOR} -lt 3 ]]; then 6.81+ echo "This script only supports kernel v3.x.x and above" 6.82+ exit 1 6.83+fi 6.84+ 6.85+if [[ ! -d ${TARGETDIR} ]]; then 6.86+ echo "${TARGETDIR} does not exist" 6.87+ exit 1 6.88+fi 6.89+ 6.90+TARGET="${TARGETDIR}/linux-${VER}.tar.xz" 6.91+# Do we already have this file? 6.92+if [[ -f ${TARGET} ]]; then 6.93+ echo "File ${TARGETDIR}/linux-${VER}.tar.xz already exists." 6.94+ exit 0 6.95+fi 6.96+ 6.97+# Start by making sure our GnuPG environment is sane 6.98+if [[ ! -x ${GPGBIN} ]]; then 6.99+ echo "Could not find gpg in ${GPGBIN}" 6.100+ exit 1 6.101+fi 6.102+if [[ ! -x ${GPGVBIN} ]]; then 6.103+ echo "Could not find gpgv in ${GPGVBIN}" 6.104+ exit 1 6.105+fi 6.106+ 6.107+# Let's make a safe temporary directory for intermediates 6.108+TMPDIR=$(mktemp -d ${TARGETDIR}/linux-tarball-verify.XXXXXXXXX.untrusted) 6.109+echo "Using TMPDIR=${TMPDIR}" 6.110+# Are we using a keyring? 6.111+if [[ -z ${USEKEYRING} ]]; then 6.112+ if [[ -z ${GNUPGHOME} ]]; then 6.113+ GNUPGHOME="${TMPDIR}/gnupg" 6.114+ elif [[ ! -d ${GNUPGHOME} ]]; then 6.115+ echo "GNUPGHOME directory ${GNUPGHOME} does not exist" 6.116+ echo -n "Create it? [Y/n]" 6.117+ read YN 6.118+ if [[ ${YN} == 'n' ]]; then 6.119+ echo "Exiting" 6.120+ rm -rf ${TMPDIR} 6.121+ exit 1 6.122+ fi 6.123+ fi 6.124+ mkdir -p -m 0700 ${GNUPGHOME} 6.125+ echo "Making sure we have all the necessary keys" 6.126+ ${GPGBIN} --batch --quiet \ 6.127+ --homedir ${GNUPGHOME} \ 6.128+ --auto-key-locate wkd \ 6.129+ --locate-keys ${DEVKEYS} ${SHAKEYS} 6.130+ # If this returned non-0, we bail 6.131+ if [[ $? != "0" ]]; then 6.132+ echo "Something went wrong fetching keys" 6.133+ rm -rf ${TMPDIR} 6.134+ exit 1 6.135+ fi 6.136+ # Make a temporary keyring and set USEKEYRING to it 6.137+ USEKEYRING=${TMPDIR}/keyring.gpg 6.138+ ${GPGBIN} --batch --export ${DEVKEYS} ${SHAKEYS} > ${USEKEYRING} 6.139+fi 6.140+# Now we make two keyrings -- one for the autosigner, and 6.141+# the other for kernel developers. We do this in order to 6.142+# make sure that we never verify kernel tarballs using the 6.143+# autosigner keys, only using developer keys. 6.144+SHAKEYRING=${TMPDIR}/shakeyring.gpg 6.145+${GPGBIN} --batch \ 6.146+ --no-default-keyring --keyring ${USEKEYRING} \ 6.147+ --export ${SHAKEYS} > ${SHAKEYRING} 6.148+DEVKEYRING=${TMPDIR}/devkeyring.gpg 6.149+${GPGBIN} --batch \ 6.150+ --no-default-keyring --keyring ${USEKEYRING} \ 6.151+ --export ${DEVKEYS} > ${DEVKEYRING} 6.152+ 6.153+# Now that we know we can verify them, grab the contents 6.154+TXZ="https://cdn.kernel.org/pub/linux/kernel/v${MAJOR}.x/linux-${VER}.tar.xz" 6.155+SIG="https://cdn.kernel.org/pub/linux/kernel/v${MAJOR}.x/linux-${VER}.tar.sign" 6.156+SHA="https://www.kernel.org/pub/linux/kernel/v${MAJOR}.x/sha256sums.asc" 6.157+ 6.158+# Before we verify the developer signature, we make sure that the 6.159+# tarball matches what is on the kernel.org master. This avoids 6.160+# CDN cache poisoning that could, in theory, use vulnerabilities in 6.161+# the XZ binary to alter the verification process or compromise the 6.162+# system performing the verification. 6.163+SHAFILE=${TMPDIR}/sha256sums.asc 6.164+echo "Downloading the checksums file for linux-${VER}" 6.165+if ! ${CURLBIN} -sL -o ${SHAFILE} ${SHA}; then 6.166+ echo "Failed to download the checksums file" 6.167+ rm -rf ${TMPDIR} 6.168+ exit 1 6.169+fi 6.170+echo "Verifying the checksums file" 6.171+COUNT=$(${GPGVBIN} --keyring=${SHAKEYRING} --status-fd=1 ${SHAFILE} \ 6.172+ | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') 6.173+if [[ ${COUNT} -lt 2 ]]; then 6.174+ echo "FAILED to verify the sha256sums.asc file." 6.175+ rm -rf ${TMPDIR} 6.176+ exit 1 6.177+fi 6.178+# Grab only the tarball we want from the full list 6.179+SHACHECK=${TMPDIR}/sha256sums.txt 6.180+grep "linux-${VER}.tar.xz" ${SHAFILE} > ${SHACHECK} 6.181+ 6.182+echo 6.183+echo "Downloading the signature file for linux-${VER}" 6.184+SIGFILE=${TMPDIR}/linux-${VER}.tar.asc 6.185+if ! ${CURLBIN} -sL -o ${SIGFILE} ${SIG}; then 6.186+ echo "Failed to download the signature file" 6.187+ rm -rf ${TMPDIR} 6.188+ exit 1 6.189+fi 6.190+echo "Downloading the XZ tarball for linux-${VER}" 6.191+TXZFILE=${TMPDIR}/linux-${VER}.tar.xz 6.192+if ! ${CURLBIN} -L -o ${TXZFILE} ${TXZ}; then 6.193+ echo "Failed to download the tarball" 6.194+ rm -rf ${TMPDIR} 6.195+ exit 1 6.196+fi 6.197+ 6.198+pushd ${TMPDIR} >/dev/null 6.199+echo "Verifying checksum on linux-${VER}.tar.xz" 6.200+if ! ${SHA256SUMBIN} -c ${SHACHECK}; then 6.201+ echo "FAILED to verify the downloaded tarball checksum" 6.202+ popd >/dev/null 6.203+ rm -rf ${TMPDIR} 6.204+ exit 1 6.205+fi 6.206+popd >/dev/null 6.207+ 6.208+echo 6.209+echo "Verifying developer signature on the tarball" 6.210+COUNT=$(${XZBIN} -cd ${TXZFILE} \ 6.211+ | ${GPGVBIN} --keyring=${DEVKEYRING} --status-fd=1 ${SIGFILE} - \ 6.212+ | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') 6.213+if [[ ${COUNT} -lt 2 ]]; then 6.214+ echo "FAILED to verify the tarball!" 6.215+ rm -rf ${TMPDIR} 6.216+ exit 1 6.217+fi 6.218+mv -f ${TXZFILE} ${TARGET} 6.219+rm -rf ${TMPDIR} 6.220+echo 6.221+echo "Successfully downloaded and verified ${TARGET}"